Secure Your WordPress Site: 9 Must-Know Tips

SevenAtoms Blog

SevenAtoms Blog

July 11, 2016 Andy Beohar

In 2016, security needs to be a top priority when it comes to your website. In a recent survey, 84% of online users polled had concerns about online safety, so keeping your assets secure is essential to keeping your traffic levels up.

These nine tips will secure your WordPress site in no time and ensureyour information stays protected.

1. Update Regularly

Like most internet users, you’ve likely grown accustomed to ignoring the “update” alerts at the top of your WordPress dashboard – but this is opening you up to risk. The most common features of these upgrades are security patches, plugging up any holes that were discovered in the previous version. Hackers target older, more vulnerable versions of WordPress, so by not updating to the latest version of WordPress, you are essentially leaving yourself vulnerable.

2. Always Be Auditing

Perform regular audits of your site’s security features; many major antivirus software companies offer website scanners that will perform the same functions for your site. WordPress also maintains usage logs, so keep an eye out for any activity or IP addresses that don’t look right.

But, it’s not just your site you should check – make sure any computers used to access WordPress are kept up to date and are regularly checked for security. If your machine is vulnerable, so is your account.

3. Maintain Plugins and Themes

One of the benefits of WordPress is the easy addition of plugins and theme customization. However, these third-party services won’t always have the same safety measures that you would expect. Ensure that they are regularly updated, and always research any additional features before you install them. Stick with plugins and themes listed on WordPress as they’ve been approved, and avoid premium plugins offered on free sites – if it sounds too good to be true, it probably is.

A good rule of thumb is the fewer plugins you have, the better. Not only will this make for a secure WordPress site, but you’ll also have a faster-loading site. Be sure that you don’t just deactivate unused plugins, you actually delete them.

4. Add Security Plugins

While on the subject of plugins – finding the right security ones will also help secure WordPress site activity. A good place to start is with plugins that restrict multiple login attempts. This will block any hackers that try to figure out your password with repeated attempts, what WordPress refers to as a “brute force attack.”

5. Manage User Access

It can be tempting to grant everyone you work with account access, but for a truly secure WordPress site, it’s best only to give access to those who absolutely need it. The more accounts you have, the more opportunities there are for hackers to get in.

Hopefully, both your business and personal networks are secure, but typically, a public network won’t be. Make sure that any account users only access your WordPress site when on a verified and secure network.

6. Beef Up Passwords and User Names

WordPress is good about generating strong passwords, but users often change them to something easier. Make sure all accounts have unique user names and a strong password. WordPress’s password strength meter is a good guideline to follow – confirm that your users all adhere to it.

You can even go a step further and require two-step authentication using a WordPress-recommended plugin. Users will have a password, but a unique code will also be sent via email or phone each time they log in.

Finally, WordPress recommends that admin accounts – the crown jewel for hackers – should not have generic usernames such as “admin,” as hackers will target these first.

7. Rename Login Pages

The default login page for your WordPress account will typically end with /wp-admin/ or /wp-login.php – easy for you to remember, but also easy for hackers to start their attack. Plugins are available that will help you “hide” your login page, making it harder for malicious hackers to get through your site’s front door.

8. Check File Permissions

Unfortunately, server vulnerabilities can leave your website at risk, so it's always best to host your site somewhere that is secure.

On your end, it is the file permissions that are set within WordPress that can also affect your vulnerability. WordPress has recommended standards for file permissions – such as 644 or 650 for files and 755 or 750 for directories – but the wrong setting can have disastrous results. WordPress cautions against 777 permissions in particular, as they can allow a hacker to take control of your site.

9. Backup Your Site

Even with all of the right precautions, today’s savvy hackers are unpredictable. Backing up your site on a set schedule will ensure that even if something should happen, you can get your site up and running quickly.